Passive TCP Reconstruction and Forensic Analysis with tcpflow

View/Open

Download Record

Author

Date

Metadata

Abstract

Passive TCP session reconstruction essential for many kinds of network forensics and law enforcement operations, but it is is
complicated by packet loss, retransmissions, and possible attacks by adversaries. The key problem is that participants in the
TCP session may observe the TCP segments differently than the monitor. An Added complication is the lack of familiarity
with network protocols by many forensic analysts, resulting in the need for tools that are easy-to-use and able to tolerate a
wide range of data. To address these issues we rewrote the open source network forensics tool tcpflow, making it more robust
to anomalies that had been reported to us by users. We also improved the program’s usability and performance on large packet
captures, and added simple visualization that produces a one-page summary PDF for packet captures of any size.

The threat from the manufacture, proliferation, and use of biological weapons (BW) is a high priority concern for the U.S. Government. As reflected in U.S. Government policy statements and budget allocations, deterrence ...

We present work on the design, implementation, distribution, and use of realistic forensic datasets to
support digital forensics and security education. We describe in particular the "M57-Patents" scenario,
a multi-modal ...

Today's Golden Age of computer forensics is quickly coming to an end. Without a clear
strategy for enabling research efforts that build upon one another, forensic research will
fall behind the market, tools will become ...